HOW WE USE YOUR INFORMATION

Transcription

1 HOW WE USE YOUR INFORMATION Herold Mediatel Ltd compiles the Gibraltar Telephone Directory on behalf of Gibtelecom. Every care is taken to render this Directory as accurate as possible but neither Herold Mediatel nor Gibtelecom accept any responsibility for loss or damage which may arise from errors or omissions. Privacy Policy and Fair Processing Notices are available on and How we use your data for marketing? At Gibyellow (Herold Mediatel Ltd) we believe in being upfront and open with our customers. We have recently updated our Privacy Hub to include all details regarding our Data Protection and Privacy Policy and Fair Processing Notice. This explains why we hold information about you, how we use it and look after it, making sure we store your data safely. Why do we store your details? Herold Mediatel Ltd has collected data from our Business to Business and Business to Consumer networking, our business relationship whilst conducting our directory sales, newsletters, Facebook campaigns and/or surveys we have carried out on behalf of ourselves or Business customers. We use this information to contact you, via our connections newsletters which may include information that may be of interested to you from our business customers looking to engage with other business or consumers. In the course of this we collect personal data about you, but it is limited in nature to your name, contact information and an address. We do not sell or give your data to any third party. If you wish to review the information we hold about you please Data Protection and Privacy Policy 1. Policy Statement a. Everyone has rights with regard to the way in which their personal data is handled. During our business activities, we will collect, store and process personal data about our customers, suppliers and other third parties, and we recognise that the correct and lawful treatment of this data will maintain confidence in the organisation and will provide for successful business operations. b. Data users are obliged to comply with this policy when processing personal data on our behalf. Any breach of this policy may result in disciplinary action. 2. About this Policy a. The types of personal data that Herold Mediatel Limited ( we, our ) may be required to handle include information about current, past and prospective [advertisers, clients, customers, users, suppliers, employees] and others that we communicate with. b. The personal data, which may be held on paper or on a computer or other media, is subject to certain legal safeguards specified in the Data Protection Act ( DPA ) and other regulations. c. This policy and any other documents referred to in it sets out the basis on which we will process any personal data we collect from data subjects, or that is provided to us by data subjects or other sources. d. This policy does not form part of any employee s contract of employment and may be amended at any time. e. This policy sets out rules on data protection and the legal conditions that must be satisfied when we obtain, handle, process, transfer and store personal data. f. Our Fair Processing Notice is located below ( FPN ). 3. Data Protection Terms a. data means information stored electronically or in certain paper-based filing systems. b. data controller means the organisation that determines the purposes for which, and the manner in which any personal data are, or are to be, processed. They are responsible for

2 establishing practices and policies in line with the DPA. We are the data controller of all personal data used in our business for our own commercial purposes. c. data processor means a third party (such as a supplier or contractor) that acts on the instructions of the data controller. We, as the data controller, remain legally responsible for processing performed by a data processor. Employees are not data processors. d. data subject means a person who is identified or identifiable from data that is in our possession or is likely to come into our possession in the future. e. data users mean those of our employees and contractors whose work involves processing personal data. Data users must protect the personal data they handle in accordance with this policy and any applicable data security procedures at all times. f. personal data means data relating to a living data subject. Personal data can be factual (for example, a name, address or date of birth) or it can be an opinion about that person, their actions and behaviour. g. processing means everything that can be done with data during its lifecycle from collection to destruction. h. sensitive personal data means information about a person s racial or ethnic origin, political opinions, religious or similar beliefs, trade union membership, physical or mental health or condition or sexual life, or about the commission of, or proceedings for, any offence committed or alleged to have been committed by that person, the disposal of such proceedings or the sentence of any court in such proceedings. Sensitive personal data can only be processed under strict conditions, including a condition requiring the express permission of the person concerned. 4. Data Protection Principles a. Anyone processing personal data must comply with the eight enforceable data protection principles. These provide that personal data must be: i. Processed fairly and lawfully; ii. Processed only for a specified and lawful purpose; iii. Adequate, relevant and not excessive for the purpose; iv. Accurate and up to date; v. Not kept longer than necessary for the purpose; vi. Processed in accordance with Data Subjects rights; vii. Kept secure; and viii. Not transferred to people or organisations situated in countries without adequate protection. 5. Fair and Lawful Processing Data controller s identity and contact details; a. In the course of our business, we may collect, and process personal data received directly from a data subject (for example, by completing forms or by corresponding with us by mail, phone, or otherwise) and received from other sources (including, for example, business partners, sub-contractors in technical, and others). b. For personal data to be processed fairly the data subject must have been provided with the FPN and the data collection cannot deceive or mislead as to the purpose of the processing. c. If we receive personal data about a data subject from other sources, we will provide the data subject with the FPN as soon as possible thereafter. d. The FPN will inform the data subject about the: e. Purpose(s) of the processing and lawful basis relied upon for storing personal data; f. Period for which data will be stored; g. Existence of rights to request access, rectification, erasure or to object to processing; h. Right to lodge a complaint with the Gibraltar Regulatory Authority ( GRA ), and GRA s contact details; T: info@gra.gi i. Recipients or categories of recipients of the Personal Data; j. Intention to transfer data to another country and the level of protection in the destination country; k. Whether provision of data is voluntary or mandatory, and consequences of failing to provide the data; l. Existence of any profiling; and

3 m. Existence of processing activities with a high risk. n. For personal data to be processed lawfully, it must be processed on the basis of one of the legal grounds set out in the DPA. These include, among other things, the data subject s consent, or that the processing is necessary for the performance of a contract with the data subject, for the compliance with a legal obligation to which the data controller is subject, or for the legitimate interest of the data controller or the party to whom the data is disclosed. o. When sensitive personal data is being processed, additional conditions must be met. 6. Specified and Lawful Purpose a. We will ensure our GRA notification is accurate and up-to-day. b. We will only process personal data for the specific purpose(s), or in a manner compatible with the purpose(s), notified to the data subject when we first collect the personal data or as soon as possible thereafter (i.e. in accordance with the FPN provided to the data subject). c. We will only process personal data in a manner compatible with the purpose for which it was obtained. 7. Adequate, Relevant and Not Excessive a. We will ensure that adequate personal data is collected to satisfy the purpose(s) notified to the data subject, especially where the purpose(s) have an impact upon the data subject. b. We will only collect personal data to the extent that it is required for the specific purpose(s) notified to the data subject. 8. Accurate and Up-to-date a. We will check the accuracy of any personal data at the point of collection and at regular intervals afterwards. We will take all reasonable steps to destroy or amend inaccurate or out-of-date data. b. We will provide data subjects with the means to obtain a copy of, and correct any inaccuracies in, their personal data. 9. Timely Processing a. We will not keep personal data longer than is necessary for the purpose(s) for which it was collected. We will take all reasonable steps to destroy, or erase from our systems, all data which is no longer required. 9. Data Subject's Rights a. We will process all personal data in line with data subjects rights, in particular their rights to i. Access to a copy of the information comprising their personal data; ii.object to processing that is likely to cause or is causing damage or distress; iii. Prevent processing for direct marketing; iv. Object to decisions being taken by automated means; and v. Have inaccurate personal data rectified, blocked, erased or destroyed. vi. We will put in place means and procedures to enable data subjects to exercise their rights without excessive delay or expense. 11. Data Security a. We will take appropriate technical and organisational security measures against unlawful or unauthorised processing of personal data, and against the accidental loss of, or damage to, personal data. b. Personal data will only be transferred to a data processor if they agree in a written contract to maintain appropriate security measures. 12. External Transfers

4 a. We may transfer any personal data to a State (country) outside the European Economic Area ( EEA ), provided that one or more of the following conditions applies: i. The country to which personal data is transferred ensures an adequate level of protection for the data subjects rights and freedoms; ii. The data subject has given consent; iii. The transfer is necessary for one of the reasons set out in the DPA, including the performance of a contract with the data subject, or to protect the vital interests of the data subject; iv. The transfer is legally required on important public interest grounds or for the establishment, exercise or defence of legal claims; and/or v. Adequate safeguards have been put in place to protect the rights of data subjects. vi. Subject to the requirements in this clause, personal data we hold may also be processed by staff operating outside the EEA who work for us or our suppliers and contractors. 13. Disclosure and Sharing a. We will not share personal data we hold with any member of our group, which means our subsidiaries, our ultimate holding company and its subsidiaries. b. We may disclose personal data we hold to third parties: i. In the event that we sell or buy any business or assets, in which case we may disclose personal data we hold to the prospective seller or buyer of such business or assets; ii. If we or substantially all of our assets are acquired by a third party, in which case personal data we hold will be one of the transferred assets; iii. In order to comply with any legal obligation, or in order to enforce or apply any contract with the data subject; or to protect our rights, property, or safety of our employees, customers, or others; iv. For the purposes of fraud protection and credit risk reduction; and v. In accordance with the FPN. Direct Marketing a. We will only send direct marketing materials consistent with the recipient s consent. b. We will only make marketing lists available to third parties for direct marketing purposes within the scope of the recipient s consent. c. All direct marketing materials will include relevant particulars of the business and any promotional offer, be clearly identifiable as a commercial communication, and will provide the recipient the ability to withdraw or modify their consent. 14. Data Subject Access Requests a. Data subjects must make a formal request for information we hold about them. This must be made in writing. Employees who receive a written request should forward it to their manager immediately. b. When receiving telephone enquiries, we will only disclose personal data if the following conditions are met: i. We will check the caller s identity to make sure that information is only given to the data subject or their authorised representative. ii. We will suggest that the caller put their request in writing together with proof of identification if we are not sure about the caller s identity and where their identity cannot be checked. 15. Compliance and Disciplinary Action a. Compliance with this policy is mandatory for all our employees who process personal data. Failure to comply may result in disciplinary action up to and including termination of employment. 16. Changes to this Policy

5 a. We reserve the right to change this policy at any time without notice. Fair Processing Notice (Privacy Policy) 1. The following fair processing notice ( Notice ) is a broad description of the way this organisation /data controller processes personal data. 2. The Data Control Centre means: 3. Consent a. You consent to the processing of your personal data in accordance with this Notice, as updated from time to time. b. You consent to your personal data being disclosed to third parties, including by sale or trade, in accordance with this Notice, as updated from time to time. c. You consent to your personal data being disclosed to third parties, including by sale or trade, in accordance with this Notice, as updated from time to time. d. You may withdraw consent at any time at the Data Control Centre. 4. Data Protection and Privacy Policy Processing is conducted in accordance with the Data Protection and Privacy Policy located at Data Control Centre. 5. Data controller Data controller ( we our us ) means: Name: Herold Mediatel Limited Registered in: Gibraltar Registration number: Registered address: 2 Irish Place, Irish Town, Gibraltar, GX11 1AA Data protection contact mail: info@gibyellow.gi 6. Data processors We use the following data processors: Serial Data processor Contact details State/ Jurisdiction Legal basis for external transfer Processing activity 1 Xcel Media Ltd Gibraltar Contract Operations including customer service, data operations, product support and account management 2. UkFast.Net Ltd LSC Communications Europe Sp. z o.o United Kingdom Contract Data hosting Poland Contract Printing The Rocket Science USA Contract E-Marketing Group 7. Purposes of data processing a. We, our data processors, and the recipients of the personal data identified in this Notice, process personal information to enable us to: i. Promote goods and services, including by direct marketing; ii. Exchange datasets and marketing lists; iii. Undertake research, modelling and analysis; iv. Maintain our accounts and records; v. Support and manage our employees; vi. Enhancing existing datasets with new information; vii. Creating and processing credit risk assessments; viii. Display of business identity and locations on third-party platforms; ix. Exchanging such data with our contracted partners for similar purposes.

6 b. Other purposes from time to time, which may be updated to this Notice. c. Processing for the above purposes is conducted on the following conditions for legitimate processing: i. Consent of the data subject; ii. Contractual necessity; and/or iii. Legitimate interests of the data controller or third party. 8. Data subjects a. We process personal data about: i. Our advertisers, customers and clients; ii. Employees; iii. Professional advisers and consultants; iv. Suppliers and service providers; v. Complainants and enquirers; vi. Users of the website at and/or vii. Persons involved in businesses throughout Gibraltar. 9. Categories of personal data a. We process personal data including: i. Personal details; ii. Contact details; iii. Education and employment details; iv. Financial details; v. Goods or services provided; and/or vi. Internet browsing habits and interests. b. We do not process sensitive classes of information. 10. Recipients of personal data a. We will not share personal data we hold with any member of our group, which means our subsidiaries, our ultimate holding company and its subsidiaries b. We do or may share information, including personal data, with the following third-party recipients (in addition to the data processors identified above): Serial Recipient Contact State/jurisdiction 1. Gibtelecom Gibraltar c. Where necessary or required we share information, including personal data, with the following categories of third party recipients: i. Business associates; ii. Third party contractors as data processors; iii. Debt collection and tracing agencies; and/or d. We may also disclose personal data to third parties: e. In the event that we sell or buy any business or assets, in which case we may disclose personal data we hold to the prospective seller or buyer of such business or assets; i. If we or substantially all of our assets are acquired by a third party, in which case personal data we hold will be one of the transferred assets; ii. In order to comply with any legal obligation, or in order to enforce or apply any contract with the data subject; or to protect our rights, property, or safety of our employees, customers, or others; and/or iii. For the purposes of fraud protection and credit risk reduction. f. We may also disclose personal data to other third parties from time to time, which may be updated to this Notice. 11. Transferring information outside the EEA

7 a. We regularly transfer personal information overseas. Where this is necessary this may be to countries or territories around the world. We are required to ensure that when we need to do this we comply with the Data Protection Act b. We currently transfer personal data outside of the European Economic Area: United States of America c. We may transfer personal data to other jurisdictions external to the European Economic Area from time to time, which may be updated to this Notice. 12. Provision of personal data a. Provision of personal data is voluntary. b. If you choose not to provide your personal data and consent to this Notice, we may be unable to publish your business record on the directory of businesses hosted at and within datasets shared with third parties. 13. Data subject rights a. As the data subject, you have the right to access a copy of the information comprising your personal data, such access requests can be lodged via the contact us page, Data Control Centre; info@gibyellow.gi. b. As the data subject, you have rights to: i. Object to processing that is likely to cause or is causing damage or distress, such request can be made here; ii. Prevent processing for direct marketing; iii. Object to decisions being taken by automated means; and iv. Have inaccurate personal data rectified, blocked, erased or destroyed. v. Such rights may be exercised via the Data Control Centre at contact us. c. You have the right to lodge a complaint concerning our compliance with the data protection principles with the Information Commissioner here: T: E; info@gra.gi. 14. Data retention period a. We retain personal data indefinitely, until it is identified as no longer correct, or until it is no longer required. 15. Data protection compliance measures a. We complete a data protection impact assessment prior to any significant change to our processing activities or data recipients. We complete periodic data protection audits, at least once per year to ensure ongoing compliance with the data protection legislation. b. This Notice does not form part of any employee's contract of employment, any supplier terms of contract, any user or consumer terms ofcontract, unless expressly stated to the contrary and we may amend it at any time.